[Oisf-devel] suricata 1.3.4 coredump caused by segfault

xbadou xbadou xbadou at gmail.com
Mon Dec 3 02:38:35 UTC 2012


Hi,

 I use 'top' command, my memory is as follows:

Mem:   3080880k total,   356708k used,  2724172k free,     6452k buffers
Swap:  2650684k total,        0k used,  2650684k free,    83212k cached

When suricata starts, it used about 6.6% (~203MB). But it become larger and
larger.

The following is some log when suricata starts.

3/12/2012 -- 08:44:50 - <Info> - AutoFP mode using default "Active Packets"
flow load balancer
3/12/2012 -- 08:44:50 - <Info> - Use pid file /var/run/suricata.pid from
config file.
3/12/2012 -- 08:44:50 - <Info> - preallocated 5000 packets. Total memory
15440000
3/12/2012 -- 08:44:50 - <Info> - allocated 131072 bytes of memory for the
host hash... 4096 buckets of size 32
3/12/2012 -- 08:44:50 - <Info> - preallocated 1000 hosts of size 72
3/12/2012 -- 08:44:50 - <Info> - host memory usage: 203072 bytes, maximum:
16777216
3/12/2012 -- 08:44:50 - <Info> - allocated 2097152 bytes of memory for the
flow hash... 65536 buckets of size 32
3/12/2012 -- 08:44:50 - <Info> - preallocated 10000 flows of size 176
3/12/2012 -- 08:44:50 - <Info> - flow memory usage: 3857152 bytes, maximum:
33554432
3/12/2012 -- 08:44:50 - <Info> - using magic-file /usr/share/file/magic
3/12/2012 -- 08:44:53 - <Error> - [ERRCODE:
SC_ERR_UNKNOWN_DECODE_EVENT(191)] - unknown decode event
"ipv6.ipv4_in_ipv6_too_small"
3/12/2012 -- 08:44:53 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] -
error parsing signature "alert pkthdr any any -> any any (msg:"SURICATA
IPv4-in-IPv6 packet too short"; decode-event:ipv6.ipv4_in_ipv6_too_small;
sid:2200082; rev:1;)" from file /etc/suricata/rules/decoder-events.rules at
line 93
3/12/2012 -- 08:44:53 - <Error> - [ERRCODE:
SC_ERR_UNKNOWN_DECODE_EVENT(191)] - unknown decode event
"ipv6.ipv4_in_ipv6_wrong_version"
3/12/2012 -- 08:44:53 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] -
error parsing signature "alert pkthdr any any -> any any (msg:"SURICATA
IPv4-in-IPv6 invalid protocol";
decode-event:ipv6.ipv4_in_ipv6_wrong_version; sid:2200083; rev:1;)" from
file /etc/suricata/rules/decoder-events.rules at line 94
3/12/2012 -- 08:44:53 - <Error> - [ERRCODE:
SC_ERR_UNKNOWN_DECODE_EVENT(191)] - unknown decode event
"ipv6.ipv6_in_ipv6_too_small"
3/12/2012 -- 08:44:53 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] -
error parsing signature "alert pkthdr any any -> any any (msg:"SURICATA
IPv6-in-IPv6 packet too short"; decode-event:ipv6.ipv6_in_ipv6_too_small;
sid:2200084; rev:1;)" from file /etc/suricata/rules/decoder-events.rules at
line 96
3/12/2012 -- 08:44:53 - <Error> - [ERRCODE:
SC_ERR_UNKNOWN_DECODE_EVENT(191)] - unknown decode event
"ipv6.ipv6_in_ipv6_wrong_version"
3/12/2012 -- 08:44:53 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] -
error parsing signature "alert pkthdr any any -> any any (msg:"SURICATA
IPv6-in-IPv6 invalid protocol";
decode-event:ipv6.ipv6_in_ipv6_wrong_version; sid:2200085; rev:1;)" from
file /etc/suricata/rules/decoder-events.rules at line 97
3/12/2012 -- 08:44:53 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] -
opening rule file /etc/suricata/rules/emerging-botcc.rules: No such file or
directory.
3/12/2012 -- 08:44:53 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] -
opening rule file /etc/suricata/rules/emerging-ciarmy.rules: No such file
or directory.
3/12/2012 -- 08:44:53 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] -
opening rule file /etc/suricata/rules/emerging-compromised.rules: No such
file or directory.
3/12/2012 -- 08:44:53 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] -
opening rule file /etc/suricata/rules/emerging-drop.rules: No such file or
directory.
3/12/2012 -- 08:44:53 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] -
opening rule file /etc/suricata/rules/emerging-dshield.rules: No such file
or directory.
3/12/2012 -- 08:44:53 - <Error> - [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] -
opening rule file /etc/suricata/rules/emerging-tor.rules: No such file or
directory.
3/12/2012 -- 08:44:53 - <Info> - 41 rule files processed. 6106 rules
succesfully loaded, 4 rules failed
3/12/2012 -- 08:44:54 - <Info> - 6114 signatures processed. 4 are IP-only
rules, 2880 are inspecting packet payload, 3885 inspect application layer,
72 are decoder event only
3/12/2012 -- 08:44:54 - <Info> - building signature grouping structure,
stage 1: adding signatures to signature source addresses... complete
3/12/2012 -- 08:44:54 - <Info> - building signature grouping structure,
stage 2: building source address list... complete
3/12/2012 -- 08:44:56 - <Info> - building signature grouping structure,
stage 3: building destination address lists... complete
3/12/2012 -- 08:44:57 - <Warning> - [ERRCODE: SC_ERR_FOPEN(44)] - Error
opening file: "/etc/suricata//threshold.config": No such file or directory
3/12/2012 -- 08:44:57 - <Info> - Core dump size is unlimited.
3/12/2012 -- 08:44:57 - <Info> - fast output device (regular) initialized:
fast.log
3/12/2012 -- 08:44:57 - <Info> - Unified2-alert initialized: filename
unified2.alert, limit 32 MB
3/12/2012 -- 08:44:57 - <Info> - Using 1 live device(s).
3/12/2012 -- 08:44:57 - <Info> - Unable to find pcap config for interface
wafbridge1, using default value
3/12/2012 -- 08:44:57 - <Info> - using interface wafbridge1
3/12/2012 -- 08:44:57 - <Info> - RunModeIdsPcapAutoFp initialised
3/12/2012 -- 08:44:57 - <Info> - stream "max-sessions": 262144
3/12/2012 -- 08:44:57 - <Info> - stream "prealloc-sessions": 32768
3/12/2012 -- 08:44:57 - <Info> - stream "memcap": 33554432
3/12/2012 -- 08:44:57 - <Info> - stream "midstream" session pickups:
disabled
3/12/2012 -- 08:44:57 - <Info> - stream "async-oneside": disabled
3/12/2012 -- 08:44:57 - <Info> - stream "checksum-validation": enabled
3/12/2012 -- 08:44:57 - <Info> - stream."inline": disabled
3/12/2012 -- 08:44:57 - <Info> - stream.reassembly "memcap": 67108864
3/12/2012 -- 08:44:57 - <Info> - stream.reassembly "depth": 1048576
3/12/2012 -- 08:44:57 - <Info> - stream.reassembly "toserver-chunk-size":
2560
3/12/2012 -- 08:44:57 - <Info> - stream.reassembly "toclient-chunk-size":
2560
3/12/2012 -- 08:44:57 - <Info> - all 7 packet processing threads, 3
management threads initialized, engine started.


My testing network is like this.

Working  Network  ------Suricata-------Internet

Working  Network bandwidth is about 8~30Mbit/s. Each traffic we visit
Internet is checked by Suricata.

Thank you.



On Fri, Nov 30, 2012 at 6:44 PM, Peter Manev <petermanev at gmail.com> wrote:

> Hi,
>
> You mention that you have small traffic - how much memory does Suricata
> use? how many rules do you load?
>
> thank you
>
> On Fri, Nov 30, 2012 at 3:50 AM, xbadou xbadou <xbadou at gmail.com> wrote:
>
>> Thank you very much.
>>
>> But I want to known, whether I can do something to limit the max memory
>> usage of suricata. Because I just have very small  network traffic.  I
>> think 4 GB is maybe enough to me. I just want suricata keep alive if it
>> can't get more memory. Or suricata do some memory clean jobs if it can't
>> allocate more memory.
>>
>> If suricata get a segfault very offen, I think I may need a watchdog to
>> watch this and restart it.
>>
>>
>> On Fri, Nov 30, 2012 at 10:26 AM, Marcos Rodriguez <
>> marcos.e.rodriguez at gmail.com> wrote:
>>
>>>
>>>
>>> On Thu, Nov 29, 2012 at 8:23 PM, xbadou xbadou <xbadou at gmail.com> wrote:
>>>
>>>> Yes, I am running debian 5 with kernel 2.6.31.14  32bit。 And the system
>>>> ram size is 2GB*2.
>>>>
>>>> So, if it is really this issue. How can I avoid this coredump happen?
>>>> Can I change some settings in the suricata.yaml file?
>>>>
>>>> Thanks.
>>>>
>>>
>>>
>>> At the bottom of the suricata.yaml file, you'll find this section:
>>>
>>> # Suricata core dump configuration. Limits the size of the core dump
>>> file to
>>> # approximately max-dump. The actual core dump size will be a multiple
>>> of the
>>> # page size. Core dumps that would be larger than max-dump are
>>> truncated. On
>>> # Linux, the actual core dump size may be a few pages larger than
>>> max-dump.
>>> # Setting max-dump to 0 disables core dumping.
>>> # Setting max-dump to 'unlimited' will give the full core dump file.
>>> # On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump
>>> size
>>> # to be 'unlimited'.
>>>
>>> coredump:
>>>   max-dump: unlimited
>>>
>>> Change the max-dump to 0 to disable.  :o)
>>>
>>> marcos
>>>
>>
>>
>> _______________________________________________
>> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Participate:
>> http://suricata-ids.org/participate/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>> Redmine: https://redmine.openinfosecfoundation.org/
>>
>
>
>
> --
> Regards,
> Peter Manev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20121203/c05990ba/attachment.html>


More information about the Oisf-devel mailing list